Information Security Program CHARTER

Size: px
Start display at page:

Download "Information Security Program CHARTER"

Transcription

1 State of Louisiana Information Security Program CHARTER Date Published: 12, 09, 2015

2 Contents Executive Sponsors... 3 Program Owner... 3 Introduction... 4 Statewide Information Security Strategy... 4 Information Security Program... 4 Purpose and Scope... 4 Program Components... 4 Information Security Governance... 5 Governance Structure... 5 Roles and Responsibilities... 5 Changes and Amendments...11 Approval...11 Document Revision Log...11 Classification: Public Page 2 of 11

3 Executive Sponsors State Chief Information Officer Dep. State Chief Information Officer Director of Human Capital Management Asst. Commissioner of Administration Facility Planning & Control Asst. Commissioner of Administration Management & Finance Asst. Commissioner of Administration Procurement, General Counsel Commissioner of Administration Program Owner Dustin Glover, Chief Information Security Officer Classification: Public Page 3 of 11

4 Introduction This charter defines the Information Security Strategy, Purpose, Scope, and Components of the Information Security Program; and management roles and responsibilities, including the role of the Chief Information Security Officer (CISO) and the Information Security Team (IST). Statewide Information Security Strategy The State of Louisiana and its operational Agencies are entrusted with sensitive and confidential information including, but not limited to, Criminal Justice Information (CJI), Protected Health Information (PHI), Federal Tax Information (FTI), and Personally Identifiable Information (PII) and acknowledges the responsibility and steps required to protect that information. As such, the State has adopted an Information Security Strategy intended to align information security with operational strategy; to comply with applicable legal and regulatory requirements; to achieve industry standards; to manage, monitor, and mitigate information security risks and incidents; to optimize information security investments; to manage information security resources efficiently; and to monitor the ongoing effectiveness of the Information Security Program. Information Security Program Purpose and Scope In order to implement the Information Security Strategy, the has developed and implemented an Information Security Program. The scope of the Program includes all people, processes, technologies, and environmental factors involved in the creation, use, destruction, storage, restoration, management, and governance of information and information assets. Additionally, the Program is designed to provide for the availability, integrity, authentication, confidentiality, and non-repudiation of information systems and information assets. Program Components Information Risk Management Identify and manage information security risks and align Information Security Strategy with the operational needs of the State. Information Security Program Development Create and maintain a program to implement the Information Security Strategy. Information Security Program Management Oversee, direct, and monitor information security activities to execute the Information Security Program. Incident Management & Response Plan, develop, and manage appropriate capabilities and measures to detect, respond to and recover from information security incidents. Information Security Governance Establish and maintain a governance structure to provide for accountability and assurance that the Information Security Strategy is aligned with the operational needs of the State and consistent with applicable law, regulations, and industry best practices. Classification: Public Page 4 of 11

5 Information Security Governance Governance Structure Governance Board (ISGB) Steering Committee (ISSC) Information Security Program Advisory Council (ISAC) Roles and Responsibilities Information Security Governance Board (ISGB) The ISGB is responsible for confirming that the State: Aligns the Information Security Strategy with the State s operational strategies. Manages information security risks through appropriate risk tolerance levels and risk policies. Assigns priority for information security activities and investments. Requires reporting of security activity costs and security breaches. Monitors the effectiveness of security measures. Manages, assigns, and monitors resources utilization. Oversees security process integrations within the State. Monitor regulatory compliance. Oversees the incident management and reporting of security breaches. Confirms information security processes utilize and produce effective metrics. Meetings: The ISGB meets quarterly. Membership: The ISGB is comprised of members of the s Executive Staff and Agency Leadership. Additions and changes to the membership of the ISGB may be proposed and approved by the ISGB. As of 09/01/2015 the ISGB Members: 1. State Chief Information Officer (ISGB Co-Chair) 2. Chief Information Security Officer (ISGB Co-Chair) 3. General Counsel 4. Assistant Commissioner Procurement 5. Assistant Commissioner Facility Planning and Control 6. Director, Office of State Human Capital Management 7. Director, Office of Planning and Budget 8. Agency Deputy Executive Director (3) (Alternating 2 year terms) Classification: Public Page 5 of 11

6 Information Security Steering Committee (ISSC) The ISSC is responsible for assisting the ISGB and CISO with implementing and maintaining the Information Security Strategy and Information Security Program. The core functions of the ISSC include: Managing security strategy and integration efforts Operational support and service integration Assist with identifying emerging risks Promoting security practices Identifying compliance issues Reviewing and advising on the adequacy of security initiatives to service the operational needs of the State Assist with identifying of critical processes and assurance Directing Assurance integration efforts Require monitory and business case studies of security initiatives Meetings: ISSC meets monthly. Membership: The ISSC is comprised of members of the s Office of Technology Services (OTS) Executive Leadership Team. Additions and changes to the membership of the ISSC may be proposed and approved by the ISSC. 1. Deputy Chief Information Officer (ISSC Co-Chair) 2. Chief Information Security Officer (ISSC Co-Chair) 3. Chief Technology Officer 4. Chief Data Officer 5. Director of Data Center Operations 6. Director of Application and Data Management 7. Director of Network Services 8. Director of End User Computing 9. Director of Agency Relationship Management 10. Director of Project Management Classification: Public Page 6 of 11

7 Information Security Advisory Council (ISAC) The ISAC is responsible for advising the CISO on any emerging information security risk(s) and statewide program effectiveness. The core functions of the ISSC include: Communicate identified, emerging, or potential information security risk(s) Identifying upcoming changes in federal or state regulatory or compliance related information security requirements Reviewing and advising on the adequacy of security initiatives to service the operational needs of the State Assist with identifying of critical processes Identify opportunities to address information security risk(s) with consistent, efficient, and standardized methods Meetings: ISAC meets bi-annually or as needed. Membership: The ISAC is comprised of subject matter experts from various state, federal, or local entities selected by the CISO or ISGB. Additions and changes to the membership of the ISAC may be proposed by any member of the ISAC, ISGB, or ISSC and approved by the CISO. 1. Chief Information Security Officer (ISAC Chair) 2. Information Security Team 3. Representative(s) from Out of Scope Agencies. (Higher Education, Enforcement Agencies, Etc.) Classification: Public Page 7 of 11

8 Chief Information Security Officer (CISO) The CISO is responsible for the development, maintenance, and implementation of the Information Security Program. The CISO leads the Information Security Team (IST) and works with various State Offices, Agencies, assurance functions, and internal or external parties to implement, monitor, and execute the Program. The CISO is empowered and authorized to take appropriate steps and actions to successfully manage the Program and respond to security incidents while working closely with Legal, Compliance, and Human Resources Offices as appropriate. The core responsibilities of the CISO are: Governance Develop, in conjunction with the ISGB, the Information Security Strategy. Develop, oversee, implement, and maintain the Information Security Program and related initiatives. Align, in conjunction with the ISGB, the Information Security Strategy with the operational strategy of the State. Liaise with agency leadership and process owners to support ongoing alignment and verify risk and operational impact assessments are conducted and that risk mitigation strategies are being implemented. Assist in identifying current and potential legislation and regulatory requirements affecting information security. Monitor utilization and effectiveness of information security resources by developing and implementing monitoring and metrics. Direct and monitor information security activities. Liaise with other assurance providers (e.g., Internal Audit, Louisiana Legislative Audit, External Auditors, Compliance Counsel, Privacy Officer, etc.) regarding information security. Provide assurance for proper response and reporting of information security incidents. Define information security roles and responsibilities throughout the State. Working with ISGB, establish reporting and communication needed to support the Information Security Program. Information Risk Management Establish and maintain processes for information asset classification and ownership. Implement a systematic and structured information risk assessment process. Confirm operational impact assessments are conducted periodically. Verify threat and vulnerability evaluations are performed on an ongoing basis. Identify and periodically evaluate information security controls and countermeasures for mitigation of risk to acceptable levels. Integrate risk, threat, and vulnerability management into operational life cycle processes (e.g., project management, development, procurement, and employment life cycles). Report significant changes in information security risk to appropriate levels of management on both periodic and event-driven basis. Classification: Public Page 8 of 11

9 Information Security Program Development and Management Develop, maintain, and manage plans to implement the Information Security Strategy while providing clear visibility to the specific activities being performed within the Information Security Program. Establish, communicate, and maintain information security policies, and verify that processes and procedures are performed in a compliant manner. Confirm the development, communication, and maintenance of standards, procedures, and other documentation (e.g., guidelines, baselines, codes of conduct) that support information security policies. Develop the information security resources, including people, processes, and technology. When applicable, working with the CIO and Dep. CIO, identify and manage internal and external resources (e.g., finances, people, equipment, systems) required for the execution of the program. Develop processes to ensure applicable contracts and agreements contain the necessary information security controls (e.g., outsourced providers, residents, third parties). Identify opportunities to integrate information security requirements within the State s operational processes and life cycle activities. Provide Information Security advice and guidance (e.g., risk and analysis, control options) to the State. Ensure alignment between the Information Security Program and other assurance functions. Design, develop, and manage processes to provide information security awareness, training, and education to the appropriate audiences.(e.g., process owners, users, OTS resources). Define and establish metrics to evaluate the effectiveness of the Information Security Program Verify any Information Security Program compliance issue or other variance is resolved in a timely manner. Monitor, measure, validate, and report on the effectiveness and efficiency of information security controls and program compliance. Incident Management and Response Develop and implement processes to prevent, detect, respond, and recover from information security incidents. Establish clear escalation and communication processes including lines of authority during incident response. Develop and maintain incident response plans to ensure timely response, reporting, and remediation. Establish the capability to investigate and analyze information security incidents in order to determine root cause (e.g., forensics, evidence collection and preservation, log analysis, interviewing). Develop a process in accordance with Incident Management & Response Policy to communicate with internal parties and external organizations (e.g., media, law enforcement, residents). Integrate information security incident response plans with the State s disaster recovery and operational continuity plans. Periodically test and refine information security incident response plans. Manage the response to information security incidents. As needed, conduct reviews of systems, applications, networks, or processes related to previous information security incidents to ensure remediation actions are working as designed. Develop corrective actions, reassess risk, and establish monitoring mechanisms as needed. Classification: Public Page 9 of 11

10 Information Security Team (IST) The IST is comprised of specifically selected OTS resources at various operational levels with the primary responsibility of performing operational information security functions. Lead by the CISO, the IST works with applicable OTS and Agency resources to develop, implement, communicate, and apply the Information Security Policy to State Systems and Data. As needed the IST is authorized to add, modify, or remove safeguards and controls to improve the information security posture of the State. The core responsibilities of the IST are: Provide guidance, support, direction, and authority for all information security activities for the State in accordance with and in support of the Information Security Program. Employ a series of layered technical and non-technical safeguards and controls leveraging manual or automated processes and procedures in order to protect the State s information and information assets. Enforce the information security policy and provide direction for all information security activities for the State in accordance with and in support of the Information Security Program. Engage and work with various State agencies, offices, assurance functions, and internal and external parties as needed for managing the program. Take appropriate steps and actions for managing and responding to information security incidents, policy violations, forensics and investigations, internal or external exploits, threats and vulnerabilities. Provide management direction in line with operational goals and objectives and relevant law and regulations, demonstrate support for, and commitment to information through the maintenance and implementation of the Information Security Policy across the State. Additionally, in accordance with the Information Security Program and Policy, the IST will implement, manage, validate, and monitor relevant information security controls for: Identity and Access Management Information Security Risk Management Incident Management Data Center Security Network Communications and Device Security Configuration Management Data Sanitization Vulnerability Management Audit Logging and Event Monitoring Information Asset Management Information Security Training and Awareness Data Protection and Encryption Requirements Classification: Public Page 10 of 11

11 Information Security Officer (ISO) The CISO will assign specific members of the IST to serve as an ISO. An ISO will assist in leading Information Security Program initiatives related to specific regulatory environments. An ISO will also function as a dedicated resource for agencies to assist with planning, audits, incident response, data protection, disclosure, notifications, and ensure regulatory requirements are implemented in a verifiable manner. Minimally, an individual ISO shall be assigned for the following Restricted Data types: Federal Tax Information (FTI) Protected Health Information (PHI) Criminal Justice Information (CJI) Changes and Amendments Changes and Amendments to this may be proposed by any member of the ISGB. The ISGB will review and approve the proposed changes or amendments. Approval Document Revision Log Name Date Action Dustin Glover, CISO 05/01/2015 Created Draft Dustin Glover, CISO 08/03/2015 Finalized Draft Dustin Glover, CISO 10/21/2015 Updated with initial OGC recommendations Dustin Glover, CISO 12/04/2015 Updated Executive Sponsors based on leadership change. Classification: Public Page 11 of 11

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM Stepping Through the Info Security Program Jennifer Bayuk, CISA, CISM Infosec Program How to: compose an InfoSec Program cement a relationship between InfoSec program and IT Governance design roles and

More information

NSW Government Digital Information Security Policy

NSW Government Digital Information Security Policy NSW Government Digital Information Security Policy Version: 2.0 Date: April 2015 CONTENTS PART 1 PRELIMINARY... 3 1.1 Scope... 3 1.2 Application... 3 1.3 Objectives... 3 PART 2 POLICY STATEMENT... 4 Core

More information

DUUS Information Technology (IT) Incident Management Standard

DUUS Information Technology (IT) Incident Management Standard DUUS Information Technology (IT) Incident Management Standard Issue Date: October 1, 2013 Effective Date: October 1,2013 Revised Date: Number: DHHS-2013-001-E 1.0 Purpose and Objectives Computer systems

More information

HIPAA Privacy Rule Policies

HIPAA Privacy Rule Policies DRAFT - Policies and Procedures PRIVACY OFFICE ASSIGNMENT AND RESPONSIBILITIES APPROVED BY: SUPERCEDES POLICY: Policy #1 ADOPTED: REVISED: REVIEWED: Purpose This policy is designed to assure the establishment

More information

Information Security Program Management Standard

Information Security Program Management Standard State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES

More information

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA White Paper Achieving GLBA Compliance through Security Information Management White Paper / GLBA Contents Executive Summary... 1 Introduction: Brief Overview of GLBA... 1 The GLBA Challenge: Securing Financial

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

INFORMATION TECHNOLOGY POLICY

INFORMATION TECHNOLOGY POLICY COMMONWEALTH OF PENNSYLVANIA DEPARTMENT OF PUBLIC WELFARE INFORMATION TECHNOLOGY POLICY Name Of : DPW Information Security and Privacy Policies Domain: Security Date Issued: 05/09/2011 Date Revised: 11/07/2013

More information

Utica College. Information Security Plan

Utica College. Information Security Plan Utica College Information Security Plan Author: James Farr (Information Security Officer) Version: 1.0 November 1 2012 Contents Introduction... 3 Scope... 3 Information Security Organization... 4 Roles

More information

Data Privacy Framework

Data Privacy Framework Data Privacy Framework Table of Contents 1. INTRODUCTION...4 2. SCOPE & DEFINITIONS...4 2.1 SCOPE OF THE DATA PRIVACY FRAMEWORK...4 2.2 DEFINITIONS...4 3. SECURITY ORGANIZATION & RESPONSIBILITIES...4 3.1

More information

Information Security Program

Information Security Program Stephen F. Austin State University Information Security Program Revised: September 2014 2014 Table of Contents Overview... 1 Introduction... 1 Purpose... 1 Authority... 2 Scope... 2 Information Security

More information

CHAPTER 2016-138. Committee Substitute for Committee Substitute for Committee Substitute for House Bill No. 1033

CHAPTER 2016-138. Committee Substitute for Committee Substitute for Committee Substitute for House Bill No. 1033 CHAPTER 2016-138 Committee Substitute for Committee Substitute for Committee Substitute for House Bill No. 1033 An act relating to information technology security; amending s. 20.61, F.S.; revising the

More information

Information Security Policy

Information Security Policy State of Louisiana Information Security Policy Date Published: 12/16/2015 Approval Updates A description and log of any and all future updates shall be contained within this policy section. Classification:

More information

NSW Government Digital Information Security Policy

NSW Government Digital Information Security Policy NSW Government Digital Information Security Policy Version: 1.0 Date: November 2012 CONTENTS PART 1 PRELIMINARY... 3 1.1 Scope... 3 1.2 Application... 3 1.3 Objectives... 3 PART 2 CORE REQUIREMENTS...

More information

AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES

AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES Final Report Prepared by Dr Janet Tweedie & Dr Julie West June 2010 Produced for AGIMO by

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

Wiltshire Police Force Information Security Policy

Wiltshire Police Force Information Security Policy Wiltshire Police Force Information Security Policy Table of Contents 1. INTRODUCTION 2. PURPOSE 3. SCOPE 4. POLICY STATEMENT 5. ROLES & RESPONSIBILITIES 6. ACCREDITATION 7. MOBILE & REMOTE WORKING 8. 3

More information

Privacy Governance and Compliance Framework Accountability

Privacy Governance and Compliance Framework Accountability Privacy Governance and Framework Accountability Agenda Global Data Protection and Privacy (DPP) Organization Structure Privacy The 3 Lines of Defense (LOD) Model: Overview Privacy The 3 Lines of Defense

More information

CITY UNIVERSITY OF HONG KONG

CITY UNIVERSITY OF HONG KONG CITY UNIVERSITY OF HONG KONG (Approved by the Information Strategy and Governance Committee in December 2013) PUBLIC Date of Issue: 2013-12-24 Document Control Document Owner Classification Publication

More information

Computer Security Incident Response Plan. Date of Approval: 23- FEB- 2015

Computer Security Incident Response Plan. Date of Approval: 23- FEB- 2015 Name of Approver: Mary Ann Blair Date of Approval: 23- FEB- 2015 Date of Review: 22- FEB- 2015 Effective Date: 23- FEB- 2015 Name of Reviewer: John Lerchey Table of Contents Table of Contents... 2 Introduction...

More information

State of Minnesota. Enterprise Security Program Policy. Office of Enterprise Technology. Enterprise Security Office Policy. Version 1.

State of Minnesota. Enterprise Security Program Policy. Office of Enterprise Technology. Enterprise Security Office Policy. Version 1. State of Minnesota Enterprise Security Program Policy Office of Enterprise Technology Version 1.00 Approval: Gopal Khanna (Signature on file with the ESO) 06/22/2009 State Chief Information Officer Signature

More information

Information Technology Policy

Information Technology Policy ITP Number ITP-SEC024 Category Security Contact RA-ITCentral@pa.gov Information Technology Policy IT Security Incident Policy Effective Date August 2, 2012 Supersedes Scheduled Review Annual 1. Purpose

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II). Page 1 of 7 The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II). Domain I provides a solid foundation for the governance of

More information

(Instructor-led; 3 Days)

(Instructor-led; 3 Days) Information Security Manager: Architecture, Planning, and Governance (Instructor-led; 3 Days) Module I. Information Security Governance A. Introduction to Information Security Governance B. Overview of

More information

Office of Inspector General

Office of Inspector General DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,

More information

Domain 1 The Process of Auditing Information Systems

Domain 1 The Process of Auditing Information Systems Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge

More information

CSU INFORMATION SECURITY. Presentation for 2012 CSU Auxiliary Conference January 11, 2012

CSU INFORMATION SECURITY. Presentation for 2012 CSU Auxiliary Conference January 11, 2012 CSU INFORMATION SECURITY Presentation for 2012 CSU Auxiliary Conference January 11, 2012 Agenda Governance, Risk, and Compliance (GRC) Project Virtual Information Security Service Center (VISC) Compliance

More information

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services Information Security Policy Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services Contents 1 Purpose / Objective... 1 1.1 Information Security... 1 1.2 Purpose... 1 1.3 Objectives...

More information

CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)

CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT) CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT) PURPOSE: The purpose of this procedure is to establish the roles, responsibilities, and communication procedures for the Computer Security Incident

More information

State of South Carolina Initial Security Assessment

State of South Carolina Initial Security Assessment State of South Carolina Initial Security Assessment Deloitte & Touche LLP Date: May 1, 2013 Our services were performed in accordance with the Statement on Standards for Consulting Services that is issued

More information

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security

More information

Guide for the Role and Responsibilities of an Information Security Officer Within State Government

Guide for the Role and Responsibilities of an Information Security Officer Within State Government Guide for the Role and Responsibilities of an Information Security Officer Within State Government Table of Contents Introduction 3 The ISO in State Government 4 Successful ISOs Necessary Skills and Abilities

More information

Information security controls. Briefing for clients on Experian information security controls

Information security controls. Briefing for clients on Experian information security controls Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face

More information

Federal Bureau of Investigation s Integrity and Compliance Program

Federal Bureau of Investigation s Integrity and Compliance Program Evaluation and Inspection Division Federal Bureau of Investigation s Integrity and Compliance Program November 2011 I-2012-001 EXECUTIVE DIGEST In June 2007, the Federal Bureau of Investigation (FBI) established

More information

RISK AND COMPLIANCE COMMITTEE CHARTER

RISK AND COMPLIANCE COMMITTEE CHARTER 1. GENERAL SCOPE AND AUTHORITY 1.1 Introduction This charter governs the operations of the Risk & Compliance Committee of Redflex Holdings Limited (RHL or Company). 1.2 Purpose The Risk & Compliance Committee

More information

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014 DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014 Revision History Update this table every time a new edition of the document is published Date Authored

More information

Guideline for Roles & Responsibilities in Information Asset Management

Guideline for Roles & Responsibilities in Information Asset Management ISO 27001 Implementer s Forum Guideline for Roles & Responsibilities in Information Asset Management Document ID ISMS/GL/ 003 Classification Internal Use Only Version Number Initial Owner Issue Date 07-08-2009

More information

State of Oregon. State of Oregon 1

State of Oregon. State of Oregon 1 State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information

More information

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University

More information

Revision Date: October 16, 2014 Effective Date: March 1, 2015. Approved by: BOR Approved on date: October 16, 2014

Revision Date: October 16, 2014 Effective Date: March 1, 2015. Approved by: BOR Approved on date: October 16, 2014 Information Security Information Technology Policy Identifier: IT-003 Revision Date: October 16, 2014 Effective Date: March 1, 2015 Approved by: BOR Approved on date: October 16, 2014 Table of Contents

More information

State of Minnesota. Office of Enterprise Technology (OET) Enterprise Vulnerability Management Security Standard

State of Minnesota. Office of Enterprise Technology (OET) Enterprise Vulnerability Management Security Standard State of Minnesota Office of Enterprise Technology (OET) Enterprise Vulnerability Management Security Standard Approval: Enterprise Security Office (ESO) Standard Version 1.00 Gopal Khanna

More information

CLASSIFICATION SPECIFICATION FORM

CLASSIFICATION SPECIFICATION FORM www.mpi.mb.ca CLASSIFICATION SPECIFICATION FORM Human Resources CLASSIFICATION TITLE: POSITION TITLE: (If different from above) DEPARTMENT: DIVISION: LOCATION: Executive Director Executive Director, Information

More information

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL FY 2015 INDEPENDENT EVALUATION OF THE EFFECTIVENESS OF NCUA S INFORMATION SECURITY PROGRAM UNDER THE FEDERAL INFORMATION SECURITY MODERNIZATION

More information

Information Governance Management Framework

Information Governance Management Framework Information Governance Management Framework Responsible Officer Author Business Planning & Resources Director Governance Manager Date effective from October 2015 Date last amended October 2015 Review date

More information

John Essner, CISO Office of Information Technology State of New Jersey

John Essner, CISO Office of Information Technology State of New Jersey John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management

More information

Data Security Incident Response Plan. [Insert Organization Name]

Data Security Incident Response Plan. [Insert Organization Name] Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security

More information

Risk Management Guide for Information Technology Systems. NIST SP800-30 Overview

Risk Management Guide for Information Technology Systems. NIST SP800-30 Overview Risk Management Guide for Information Technology Systems NIST SP800-30 Overview 1 Risk Management Process that allows IT managers to balance operational and economic costs of protective measures and achieve

More information

Audit Risk & Governance Committee Charter

Audit Risk & Governance Committee Charter Purpose a) The Audit Risk & Governance Committee (Committee) is a formally appointed Committee of the Board of Directors of the Australian Wine Consumers Co-operative Society Limited (the Co-operative)

More information

WHITEPAPER Complying with HIPAA LogRhythm and HIPAA Compliance

WHITEPAPER Complying with HIPAA LogRhythm and HIPAA Compliance WHITEPAPER Complying with HIPAA LogRhythm and HIPAA Compliance Complying With HIPAA The Department of Health and Human Services (HHS) enacted the Health Insurance Portability and Accountability Act of

More information

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 Revision History Update this table every time a new edition of the document is

More information

Audit Report. Effectiveness of IT Controls at the Global Fund Follow-up report. GF-OIG-15-20b 26 November 2015 Geneva, Switzerland

Audit Report. Effectiveness of IT Controls at the Global Fund Follow-up report. GF-OIG-15-20b 26 November 2015 Geneva, Switzerland Audit Report Effectiveness of IT Controls at the Global Fund Follow-up report GF-OIG-15-20b Geneva, Switzerland Table of Contents I. Background and scope... 3 II. Executive Summary... 4 III. Status of

More information

Our Commitment to Information Security

Our Commitment to Information Security Our Commitment to Information Security What is HIPPA? Health Insurance Portability and Accountability Act 1996 The HIPAA Privacy regulations require health care providers and organizations, as well as

More information

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually

More information

Vermont Information Technology Leaders

Vermont Information Technology Leaders Vermont Information Technology Leaders HIPAA COMPLIANCE POLICIES AND PROCEDURES Policy Number: InfoSec 1 Policy Title: Information Privacy and Security Management Process IDENT INFOSEC1 Type of Document:

More information

Data Privacy and Gramm- Leach-Bliley Act Section 501(b)

Data Privacy and Gramm- Leach-Bliley Act Section 501(b) Data Privacy and Gramm- Leach-Bliley Act Section 501(b) October 2007 2007 Enterprise Risk Management, Inc. Agenda Introduction and Fundamentals Gramm-Leach-Bliley Act, Section 501(b) GLBA Life Cycle Enforcement

More information

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations

More information

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

REGULATIONS FOR THE SECURITY OF INTERNET BANKING REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY

More information

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant THE MARKET LEADER IN IT, SECURITY AND COMPLIANCE SERVICES FOR COMMUNITY FINANCIAL INSTITUTIONS The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant Agenda

More information

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India CIRCULAR CIR/MRD/DP/13/2015 July 06, 2015 To, All Stock Exchanges, Clearing Corporation and Depositories. Dear Sir / Madam, Subject: Cyber Security and Cyber Resilience framework of Stock Exchanges, Clearing

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

Missouri Student Information System Data Governance

Missouri Student Information System Data Governance Nicole R. Galloway, CPA Missouri State Auditor ELEMENTARY AND SECONDARY EDUCATION Missouri Student Information System Data Governance October 2015 http://auditor.mo.gov Report No. 2015-093 Nicole R. Galloway,

More information

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager Document Reference Number Date Title Author Owning Department Version Approval Date Review Date Approving Body UoG/ILS/IS 001 January 2016 Information Security and Assurance Policy Information Security

More information

REQUEST FOR BOARD ACTION

REQUEST FOR BOARD ACTION REQUEST FOR BOARD ACTION HENDERSON COUNTY BOARD OF COMMISSIONERS MEETING DATE: 23 March 2005 SUBJECT: ATTACHMENT(S): HIPAA 1. Proposed Resolution adopting policies 2. Proposed policies SUMMARY OF REQUEST:

More information

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii The Office of the Auditor General has conducted a procedural review of the State Data Center (Data Center), a part of the Arizona Strategic Enterprise Technology (ASET) Division within the Arizona Department

More information

Subject: Safety and Soundness Standards for Information

Subject: Safety and Soundness Standards for Information OFHEO Director's Advisory Policy Guidance Issuance Date: December 19, 2001 Doc. #: PG-01-002 Subject: Safety and Soundness Standards for Information To: Chief Executive Officers of Fannie Mae and Freddie

More information

Richard Gadsden Information Security Office Office of the CIO Information Services

Richard Gadsden Information Security Office Office of the CIO Information Services Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO Information Services Sharon Knowles Information Assurance Compliance MUSC Medical Center

More information

Information Security Plan May 24, 2011

Information Security Plan May 24, 2011 Information Security Plan May 24, 2011 REVISION CONTROL Document Title: Author: HSU Information Security Plan John McBrearty Revision History Revision Date Revised By Summary of Revisions Sections Revised

More information

CORE Security and GLBA

CORE Security and GLBA CORE Security and GLBA Addressing the Graham-Leach-Bliley Act with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com www.coresecurity.com

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Business Associate Agreement (the Agreement ) is made by and between Business Associate, [Name of Business Associate], and Covered Entity, The Connecticut Center for Health,

More information

Information Security Policy

Information Security Policy Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September

More information

King III Compliance Schedule and Explanation

King III Compliance Schedule and Explanation King III Compliance Schedule and Explanation Principle The Board should provide effective leadership based on an ethical foundation the company is and is seen to be a responsible corporate citizen the

More information

Computer Security Incident Response Team

Computer Security Incident Response Team Computer Security Incident Response Team Operational Standards The University of Scranton Information Security Office August 2014 Table of Contents 1.0 Operational Standards Document Overview... 3 2.0

More information

RISK MANAGEMENT FRAMEWORK

RISK MANAGEMENT FRAMEWORK RISK MANAGEMENT FRAMEWORK DOCUMENT INFORMATION DOCUMENT TYPE: DOCUMENT STATUS: POLICY OWNER POSITION: INTERNAL COMMITTEE ENDORSEMENT: APPROVED BY: Strategic document Approved Manager Organisational Development

More information

DHHS Information Technology (IT) Access Control Standard

DHHS Information Technology (IT) Access Control Standard DHHS Information Technology (IT) Access Control Standard Issue Date: October 1, 2013 Effective Date: October 1,2013 Revised Date: Number: DHHS-2013-001-B 1.0 Purpose and Objectives With the diversity of

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS TABLE OF CONTENTS General Topics Purpose and Authorities Roles and Responsibilities Policy and Program Waiver Process Contact Abbreviated Sections/Questions 7.1 What is the purpose of this chapter? 7.2

More information

Governance and Management of Information Security

Governance and Management of Information Security Governance and Management of Information Security Øivind Høiem, CISA CRISC Senior Advisor Information Security UNINETT, the Norwegian NREN About Øivind Senior Adviser at the HE sector secretary for information

More information

General HIPAA Implementation FAQ

General HIPAA Implementation FAQ General HIPAA Implementation FAQ What is HIPAA? Signed into law in August 1996, the Health Insurance Portability and Accountability Act ( HIPAA ) was created to provide better access to health insurance,

More information

Compliance Management, made easy

Compliance Management, made easy Compliance Management, made easy LOGPOINT SECURING BUSINESS ASSETS SECURING BUSINESS ASSETS LogPoint 5.1: Protecting your data, intellectual property and your company Log and Compliance Management in one

More information

Achieving Security through Compliance

Achieving Security through Compliance Achieving Security through Compliance Policies, plans, and procedures Table of Contents This white paper was written by: McAfee Foundstone Professional Services Overview...3 The Rock Foundation...3 Governance...3

More information

State of West Virginia Office of Technology Policy: Information Security Audit Program Issued by the CTO

State of West Virginia Office of Technology Policy: Information Security Audit Program Issued by the CTO Policy: Information Security Audit Program Issued by the CTO Policy No: WVOT-PO1008 Issue Date: 08.01.09 Revised: Page 1 of 12 1.0 PURPOSE The West Virginia Office of Technology (WVOT) will maintain an

More information

Domain 5 Information Security Governance and Risk Management

Domain 5 Information Security Governance and Risk Management Domain 5 Information Security Governance and Risk Management Security Frameworks CobiT (Control Objectives for Information and related Technology), developed by Information Systems Audit and Control Association

More information

Computer Security Incident Response Team

Computer Security Incident Response Team University of Scranton Computer Security Incident Response Team Operational Standards Information Security Office 1/27/2009 Table of Contents 1.0 Operational Standards Document Overview... 3 2.0 Establishment

More information

White Paper Achieving SOX Compliance through Security Information Management. White Paper / SOX

White Paper Achieving SOX Compliance through Security Information Management. White Paper / SOX White Paper Achieving SOX Compliance through Security Information Management White Paper / SOX Contents Executive Summary... 1 Introduction: Brief Overview of SOX... 1 The SOX Challenge: Improving the

More information

CISM (Certified Information Security Manager) Document version: 6.28.11

CISM (Certified Information Security Manager) Document version: 6.28.11 CISM (Certified Information Security Manager) Document version: 6.28.11 Important Note About CISM PDF techexams CISM PDF is a comprehensive compilation of questions and answers that have been developed

More information

Privacy & Security Matters: Protecting Personal Data. Privacy & Security Project

Privacy & Security Matters: Protecting Personal Data. Privacy & Security Project Privacy & Security Matters: Protecting Personal Data Privacy & Security Project HIPAA: What it is Health Insurance Portability and Accountability Act of 1996 Also known as Kennedy-Kassebaum Act Legislation

More information

Intelligent Vendor Risk Management

Intelligent Vendor Risk Management Intelligent Vendor Risk Management Cliff Baker, Managing Partner, Meditology Services LeeAnn Foltz, JD Compliance Resource Consultant, WoltersKluwer Law & Business Agenda Why it s Needed Regulatory Breach

More information

INFORMATION TECHNOLOGY SECURITY POLICY

INFORMATION TECHNOLOGY SECURITY POLICY INFORMATION TECHNOLOGY SECURITY POLICY P R O C E D U R A L M E M O R A N D U M 7 0-05 D e p a r t m e n t o f I n f o r m a t i o n T e c h n o l o g y I n f o r m a t i o n S e c u r i t y O f f i c e

More information

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2 Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications

More information

KING III CORPORATE GOVERNANCE COMPLIANCE REGISTER

KING III CORPORATE GOVERNANCE COMPLIANCE REGISTER KING III CORPORATE GOVERNANCE REGISTER CHAPTER 1: ETHICAL LEADERSHIP AND CORPORATE CITIZENSHIP NON 1.1. The board should provide effective leadership based on an ethical foundation 1.2. The board should

More information

Anthony J. Albanese, Acting Superintendent of Financial Services. Financial and Banking Information Infrastructure Committee (FBIIC) Members:

Anthony J. Albanese, Acting Superintendent of Financial Services. Financial and Banking Information Infrastructure Committee (FBIIC) Members: Andrew M. Cuomo Governor Anthony J. Albanese Acting Superintendent FROM: TO: Anthony J. Albanese, Acting Superintendent of Financial Services Financial and Banking Information Infrastructure Committee

More information

FedRAMP Standard Contract Language

FedRAMP Standard Contract Language FedRAMP Standard Contract Language FedRAMP has developed a security contract clause template to assist federal agencies in procuring cloud-based services. This template should be reviewed by a Federal

More information

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8. micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5

More information

REVIEW OF NASA S MANAGEMENT AND OVERSIGHT

REVIEW OF NASA S MANAGEMENT AND OVERSIGHT SEPTEMBER 16, 2010 AUDIT REPORT OFFICE OF AUDITS REVIEW OF NASA S MANAGEMENT AND OVERSIGHT OF ITS INFORMATION TECHNOLOGY SECURITY PROGRAM OFFICE OF INSPECTOR GENERAL National Aeronautics and Space Administration

More information

Developing National Frameworks & Engaging the Private Sector

Developing National Frameworks & Engaging the Private Sector www.pwc.com Developing National Frameworks & Engaging the Private Sector Focus on Information/Cyber Security Risk Management American Red Cross Disaster Preparedness Summit Chicago, IL September 19, 2012

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

San Francisco Chapter. Presented by Mike O. Villegas, CISA, CISSP

San Francisco Chapter. Presented by Mike O. Villegas, CISA, CISSP Presented by Mike O. Villegas, CISA, CISSP Agenda Information Security (IS) Vision at Newegg.com Typical Issues at Most Organizations Information Security Governance Four Inter-related CoBIT Domains ISO

More information

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public. Federal CIO Council Information Security and Identity Management Committee (ISIMC) Guidelines for the Secure Use of Cloud Computing by Federal Departments and Agencies DRAFT V0.41 Earl Crane, CISSP, CISM

More information

OCIE CYBERSECURITY INITIATIVE

OCIE CYBERSECURITY INITIATIVE Topic: Cybersecurity Examinations Key Takeaways: OCIE will be conducting examinations of more than 50 registered brokerdealers and registered investment advisers, focusing on areas related to cybersecurity.

More information